Trojan Found Pre-Installed on Some Android Devices

A trojan strand targeting Android devices has been found coming pre-installed inside the firmware of some Android smartphones by Dr.Web, a Russian-based antivirus vendor.

The trojan, detected as Android.Backdoor.114.origin, was discovered in the middle of September, and after Dr.Web staff contacted the phone’s manufacturer, no change has been made to the official firmware, which is still available for download online, in its malicious form.

According to Dr.Web’s staff, the malware was found inside the Oysters T104 HVi 3G smartphone, packed inside the GoogleQuickSearchBox.apk application, which comes pre-installed on the device.

This trojan is quite dangerous and comes with root privileges on the infected smartphone.

The trojan sends your data to the attackers

The trojan’s main role is to talk to a C&C (command-and-control) server. Android.Backdoor.114.origin can harvest and send the following details to its owners:

– Infected device’s unique identifier

– MAC address of the Bluetooth adapter

– Infected device’s type (smartphone or tablet)

– Parameters from the configuration file

– MAC address

– IMSI

– Malicious application version

– OS version

– API version of the device

– Network connection type

– Application package name

– Country ID

– Screen resolution

– Device manufacturer

– Model name

– Occupied SD card space

– Available SD card space

– Occupied internal memory space

– Available internal memory space

– List of applications installed in the system folder

– List of applications installed by the user

Once this information reaches the C&C, attackers can then send further commands, based on the received data, to carry out attacks specific to the user’s current configuration.

The trojan is a gateway for more dangerous malware

Most of the times, these instructions tell the infected device to download other applications, which can be used to serve unwanted ads, or even worse, lock the device and encrypt its files until a ransom is paid.

Because the trojan comes as a pre-installed app, the only way to get rid of it is by reinstalling a clean version of the operating system.